napi is vulnerable to Use-After-Free
35
Low Risk
The napi runtime routes deferred cleanup of owned Buffer and TypedArray values through a single process-global custom-GC threadsafe function created by the first isolate that loads the addon. Because that path carries no owning env, a value dropped off its owning JavaScript thread under worker_threads has its napi_ref unreferenced and deleted through another isolate's environment, producing a cross-isolate use-after-free on V8 global handles. This can abort the Node.js process or corrupt memory when an async function consumes a Buffer or typed array across worker isolates. The fix gives each environment its own custom-GC handle so cross-thread drops are routed through the value's owning isolate.
You are affected if you are using a version that falls within the vulnerable range and your addon passes owned Buffer or TypedArray values into async functions that can be dropped off the owning JavaScript thread, typically under worker_threads.
napi is vulnerable to Use-After-Free in versions 2.10.0 - 3.9.4.
Upgrade the napi library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant